Submission Details
Severity:
OWPIdentity token not minted when users join DAO.
Vulnerability details
As per One world project OWPIdentity token is a non-transferable token that is being minted when a user joins the DAO. And it serves as a purpose of identity that a particular user is a part of the OWP protocol.
But in the joinDAO function only MembershipERC1155 token is being minted, OWPIdentity token is not minted.
function joinDAO(address daoMembershipAddress, uint256 tierIndex) external {
require(daos[daoMembershipAddress].noOfTiers > tierIndex, "Invalid tier.");
require(daos[daoMembershipAddress].tiers[tierIndex].amount > daos[daoMembershipAddress].tiers[tierIndex].minted, "Tier full.");
uint256 tierPrice = daos[daoMembershipAddress].tiers[tierIndex].price;
uint256 platformFees = (20 * tierPrice) / 100;
daos[daoMembershipAddress].tiers[tierIndex].minted += 1;
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
@> IMembershipERC1155(daoMembershipAddress).mint(_msgSender(), tierIndex, 1);
emit UserJoinedDAO(_msgSender(), daoMembershipAddress, tierIndex);
//@audit when someone joins the DAO only membership NFT is being minted. The owp identity NFT is not minted.
}
Currently no implementation is present to mint the OWPIdentity token when a user joins.
Impact
There is no way to identify if a user is a part of OWP, we can consider Membership1155 token as a identity but it is transferable.
Tools used
Manual review
Recommended mitigation
Mint the OWPIdentity token
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.